[00:00.000 --> 00:07.280]  Greyhat SSH shenanigans. This talk is going to be about all of the cool offensively focused
[00:07.280 --> 00:13.600]  things you can do with SSH. If you are a red teamer or a pen tester and you don't have SSH
[00:13.600 --> 00:18.180]  in your toolbox already, hopefully you'll see why you should have it in your toolbox and all
[00:18.180 --> 00:27.400]  the cool fun things you can do with it. And if you're advanced, you've already been using SSH,
[00:27.400 --> 00:34.500]  hopefully there's a tip or a trick or two that you can pick up here as we go through all of this.
[00:36.420 --> 00:42.220]  So how is this talk going to go? We're going to start off with the basics,
[00:42.220 --> 00:47.360]  because you have to start at the beginning. Then we're going to start looking at all of the
[00:47.360 --> 00:53.700]  interesting things you can do with port forwards, how you can use those to get past firewalls,
[00:53.700 --> 01:00.500]  hide your traffic, make it look like you're accessing systems from other systems, and a
[01:00.500 --> 01:07.640]  bunch of cool things. Next we'll look at the configurations, so fun with the configs.
[01:07.640 --> 01:12.880]  SSH has a bunch of different ways you can modify its behavior and make it do things that users are
[01:12.880 --> 01:17.780]  probably not intending. Leaks a bunch of information about what users are accessing,
[01:18.400 --> 01:25.580]  how they're accessing them, where they're accessing them, etc. And then lastly we'll look
[01:25.580 --> 01:32.860]  at stealing creds. So SSH, as we'll see, has access to credential material, and we would
[01:32.860 --> 01:37.240]  like to get access to that, and we will show a couple different successful strategies in doing
[01:37.240 --> 01:47.340]  so. First, who am I? My name is Evan. I'm also Syndrome on Twitter. I am the Director of Offense
[01:47.340 --> 01:56.780]  at a company called Randori. I've been Redding forever. I'm into CTFs. I do CCEC,
[01:56.780 --> 02:06.420]  all that kind of stuff. So check me out. Let's get into it. So the basics. Starting off,
[02:06.420 --> 02:13.700]  what is SSH? So SSH stands for Secure Shell. It is a replacement for the original plaintext
[02:13.700 --> 02:21.300]  protocols of Telnet and RSH, which were both used to get shell access onto Unix systems
[02:21.980 --> 02:31.160]  and administer those remotely. SSH can be used to refer to both the daemon and the client. So
[02:31.160 --> 02:36.960]  you will hear someone say SSH to that box. That means that they use the SSH client to connect
[02:36.960 --> 02:44.640]  to a server that was running the SSH daemon and logged into it that way, got a prompt,
[02:44.640 --> 02:50.840]  and did whatever. The most common versions of SSH that you're going to run into are OpenSSH.
[02:53.580 --> 02:59.860]  OpenSSH runs on pretty much everything now, and there are a few other ones that we'll go over,
[02:59.860 --> 03:06.080]  server and client, coming up. Like I said, it's used to remotely administer systems.
[03:06.080 --> 03:10.160]  You can upload and download files. You can run commands on the shell,
[03:10.160 --> 03:17.000]  etc. And then SSH also provides encrypted channels, which are little tunnels that you
[03:17.000 --> 03:21.860]  can make in the SSH session that will let you do port forwarding that we'll see here in a minute,
[03:21.860 --> 03:31.980]  X11 forwarding, and get your shell. So why is SSH useful for an attacker?
[03:32.960 --> 03:37.980]  Really, SSH can be thought of as a Swiss army knife for red teams.
[03:38.620 --> 03:44.140]  This lets me accomplish anything I need to do with a system if I can get SSH access. So I can
[03:45.120 --> 03:50.700]  download files. I can upload files. I can run commands. I can maintain access to a system.
[03:51.220 --> 03:56.160]  I can configure the system such that it does things differently than the user is expecting.
[03:57.280 --> 04:01.300]  I can get credentials out of it. All of the things that I need to be able to do
[04:01.300 --> 04:05.780]  to get systems and get into systems and pivot around inside a network.
[04:05.780 --> 04:08.600]  And it's all encrypted by default for me.
[04:15.940 --> 04:20.840]  So the common SSH clients and tools that you'll run into.
[04:21.260 --> 04:27.700]  Like I said, on most Unixes, the common SSH implementation is OpenSSH.
[04:28.720 --> 04:35.500]  On embedded systems, sometimes you'll run into DropBear, which is just a very small
[04:35.500 --> 04:40.620]  implementation of SSH. And just the difference here is some of the functionality that we go
[04:40.620 --> 04:47.840]  over here might not work in DropBear or some of the other SSH servers. There's actually just
[04:47.840 --> 04:52.560]  SSH.com has an SSH server and there's a few different ones, but most of the time you're
[04:52.560 --> 04:58.960]  run into SSH and most of the stock is geared towards that. On Windows, you can obviously
[04:58.960 --> 05:05.680]  drop into WSL, WSL2, and then you're just at a Linux prompt. So you'll have the SSH client.
[05:06.160 --> 05:12.740]  There's a GUI that's called Putty, which is from way back when. And then there's Plink,
[05:12.740 --> 05:18.820]  which is the CLI implementation that uses the same SSH stuff under the hood that Putty's using.
[05:18.820 --> 05:27.440]  And then additionally on Windows 10, after 1809, OpenSSH is available in the Windows app store.
[05:27.440 --> 05:33.880]  So you can get the SSH server and the SSH client. And then lastly, another tool that's super common
[05:33.880 --> 05:39.040]  that we're going to take a look at a little bit here is Paramiko, which is a Python library
[05:39.040 --> 05:43.940]  that implements the entire protocol, the entire SSH protocol, both client and server
[05:44.960 --> 05:51.680]  in Python. Super useful for being able to write scripts to do either like log into systems for
[05:51.680 --> 06:01.100]  you and do stuff, or as we'll see later, make a server. Another reason SSH is super useful here,
[06:01.100 --> 06:08.960]  it's really simple to enumerate. So by default, SSH is port 22. That's the port that it has
[06:08.960 --> 06:14.920]  registered. You can move it to different ports, but all of the servers, if they're installed,
[06:14.920 --> 06:21.660]  just by like with the app or whatever, it's SSH. Here you can just use netcat and just
[06:21.660 --> 06:28.480]  grab the banner. Really simple banner up front. It tells you that it's SSH 2.0 is the protocol
[06:28.480 --> 06:35.060]  of SSH that it's speaking. The version is, you can see this is an OpenSSH server, 8.3.1,
[06:35.060 --> 06:43.220]  and then it's running on a Debian system. So just with netcat, I can tell what version of SSH is
[06:43.220 --> 06:50.040]  installed, or what version of SSH protocol the SSH daemon speaks, what version of SSH is installed,
[06:50.040 --> 06:58.000]  and the operating system. There's even more stuff that you can figure out. So with Nmap or a bunch
[06:58.000 --> 07:03.280]  of other, there's a bunch of other tools that can do this, but lots of people know how to use Nmap.
[07:03.280 --> 07:08.240]  When you run the discovery scripts, it will do that banner grab for you, and it will also
[07:08.240 --> 07:15.940]  enumerate all the algorithms that the SSH is using. So SSH is a pretty old protocol. You'll
[07:15.940 --> 07:22.660]  run into systems that have older, more insecure algorithms and potentially vulnerable SSH versions.
[07:22.660 --> 07:26.960]  So there are some versions of SSH that are vulnerable to user enumeration and command
[07:26.960 --> 07:34.080]  injection and all sorts of stuff. So that it is so easy to enumerate is pretty nice.
[07:37.340 --> 07:42.680]  So continuing on with the basics here, just running a command on the remote system. There's
[07:43.440 --> 07:48.740]  two strategies here, essentially. The first is I'm going to connect to the remote system
[07:48.740 --> 07:57.180]  and request a interactive shell. So the first command is just SSH. That's going to launch the
[07:57.180 --> 08:05.400]  command line, bob at, and then the IP address is 10.10.10.10. So that's saying login to 10.10.10.10
[08:05.400 --> 08:12.520]  as the user bob. I cut out some stuff here. It'll prompt you for a password. And then you can just
[08:12.520 --> 08:17.440]  run commands interactively like you're sitting at a console on that system. So here you can see you
[08:17.440 --> 08:22.600]  can run the command, who am I? And you see that you're bob. The other way you do this is to run
[08:22.760 --> 08:32.020]  a single command at a time. So I say SSH bob at 10.10.10.10. Who am I? It says bob. This is super
[08:32.020 --> 08:38.320]  useful if the system is being actively defended. So say one of the blue team or someone is actually
[08:38.320 --> 08:43.620]  on the system watching for connections and seeing who's logged in. They'd have to catch that and
[08:43.620 --> 08:48.560]  run that command while the who am I command is running or whatever command you want to run. This
[08:48.560 --> 08:54.940]  is just an example. But they'd have to actually see that to see that you're logged in. This will
[08:54.940 --> 08:59.020]  still show up in last and in all of the logs and everything, but if someone's just sitting there
[08:59.020 --> 09:04.040]  trying to see if someone's actually logged in and watching for SSH processes to start, this will let
[09:04.040 --> 09:09.280]  you have a little race where you can run your command hopefully before they actually catch you
[09:09.280 --> 09:12.340]  doing whatever the thing is that you want to do.
[09:15.800 --> 09:22.500]  Like I said earlier, you can use SSH to copy files. So I can copy a file from my system to
[09:22.500 --> 09:28.180]  the remote system, or I can copy a file from the remote system to my system. There's two ways to
[09:28.180 --> 09:37.240]  actually do this. The first one that I've laid out here is SCP, so secure copy. And in the first
[09:37.880 --> 09:43.660]  example here, I'm going to upload a file from my computer to the remote system. So what that
[09:43.660 --> 09:49.340]  looks like is I do SCP, the file that I want to copy up, and then I'm just like before we saw,
[09:49.340 --> 09:55.260]  I'm going to do the username at that system, and then I'm going to give it the path that I want to
[09:55.260 --> 10:01.360]  copy it to. So here I want to say in the user's home directory in the bin folder, name my file
[10:01.360 --> 10:05.400]  not malware. So I'm going to copy my malware up there and hopefully they won't catch it because
[10:05.400 --> 10:09.860]  I called it not malware. And that is super secret and they will totally never be able to figure that
[10:09.860 --> 10:17.300]  out. Next, say I want to download a file from their remote system. So I've been looking around
[10:17.300 --> 10:24.380]  and I see that there is this Etsy secret sauce that I'd like to get from my local system. Just
[10:24.380 --> 10:28.860]  like before, it's source and destination, but I want the source now to be the file on the remote
[10:28.860 --> 10:36.460]  system, and then the destination to be the file on my system. So SCP, Bob, at the remote system,
[10:36.460 --> 10:43.180]  the path that the file is at. So here it's Etsy secret sauce. And then finally my loot folder.
[10:43.220 --> 10:49.020]  So every good hacker kid should have a loot folder and I'm going to copy that secret sauce
[10:49.020 --> 10:56.960]  into that folder. Additionally with SCP, I can recursively copy. So say I just want to grab
[10:56.960 --> 11:01.020]  everything in that secret folder. I don't know what it is. I'll look at it later. I'm going to
[11:01.020 --> 11:11.300]  go ahead and use the minus R for recursive flag here to SCP. So SCP minus R, Bob at 10.10.10.10,
[11:11.300 --> 11:14.760]  the Etsy secret folder down into my loot folder.
[11:17.040 --> 11:23.320]  The next way you can copy files is with the SFTP command. So this is secure FTP.
[11:23.320 --> 11:29.380]  Uh, this is actually a completely different implemented or different, um, part of the
[11:29.380 --> 11:35.220]  protocol to copy those files. So SCP and SFTP, while they accomplish the same thing are actually
[11:35.220 --> 11:38.900]  doing different stuff under the hood, but functionally it's the same. And if you're
[11:38.900 --> 11:47.660]  familiar with FTP, hopefully this makes sense. You SFTP as Bob to 10.10.10.10. And then the
[11:47.660 --> 11:52.780]  first command I want to download a file. So I get that file. I say, get from slash secret sauce
[11:52.780 --> 11:59.620]  to my loot folder, secret sauce. Um, and then next example, I want to upload a, upload a file.
[11:59.620 --> 12:07.020]  So SFTP Bob at 10.10.10.10. I'm going to put from my artifacts folder, the malware,
[12:07.020 --> 12:12.060]  and I'm just going to put it into not malware. Uh, once again, super secret,
[12:12.060 --> 12:15.540]  no one will ever catch that. Totally not malware. Don't look at it. It's fine.
[12:15.540 --> 12:24.780]  Uh, and similar to SCP SFTP has a recursive option for the get command. So get minus R
[12:24.780 --> 12:29.240]  slash temp secret from the remote side. So say that's a folder. And then I'm just going to
[12:29.240 --> 12:35.320]  download it into my temp folder until I can figure out what to do with it. Uh, and you can see, uh,
[12:35.320 --> 12:43.180]  what happened there. So, uh, kind of the basics there as SSH lets you, uh, log into a remote
[12:43.180 --> 12:49.760]  system, get a shell on that system. If you want, you can, uh, run commands singularly. So you don't
[12:49.760 --> 12:54.900]  even have an interactive session. So it's a lot harder to find. You can copy files down. You can
[12:54.900 --> 13:00.440]  copy or you can download files. You can upload files. Um, even that just alone is super useful
[13:00.440 --> 13:07.040]  to an attacker just in and of itself, but let's go ahead and move on forward to, uh, fun with
[13:07.040 --> 13:12.320]  port forwards and we'll see kind of the more advanced stuff you can do and how you can use
[13:12.320 --> 13:19.440]  this, uh, SSH in your tool belt to get around, uh, common firewall setups and that kind of,
[13:19.440 --> 13:25.980]  kind of thing. Uh, so first here, we're going to do look at local forwarding.
[13:27.260 --> 13:35.540]  So in this scenario, I have access to the 10.10.10.10 system. Hopefully that was enough 10s.
[13:36.100 --> 13:42.840]  And I happen to know that that is sitting on a boundary. So here in this, um, this slide,
[13:42.840 --> 13:47.780]  I'm showing you that I have this box, which I'm going to call my jump box. So 10.10.10,
[13:48.480 --> 13:52.220]  or you'll also hear this called a bounce node and I'll probably go back and forth,
[13:52.220 --> 13:56.460]  but I happen to know that this is sitting on a, like a security boundary here. And there
[13:56.460 --> 14:04.560]  are other systems back in here that I'd like to get access to. I can use SSH to forward ports
[14:04.560 --> 14:11.480]  from my system through that system. Uh, look at a, look a little bit like this. So I'll have
[14:14.020 --> 14:21.640]  port 8080 on my local system. We'll jump through that 10.10.10.10 system and then point at one of
[14:21.640 --> 14:28.720]  the systems on the other side. All of that will go over the SSH tunnel. So that traffic is encrypted
[14:28.720 --> 14:36.540]  from, uh, my laptop here to this system. And then it comes out of here and we'll wind up over on
[14:36.540 --> 14:43.640]  looking at the system. Uh, what that looks like on the command line is you use the minus capital L
[14:44.380 --> 14:50.660]  for local forward. Um, and you want to tell it the port on your system that you want to listen on
[14:51.380 --> 14:54.800]  the host that you want that connection to go to on the far side
[14:54.800 --> 14:57.920]  and the host port on the far side that you would like to go to.
[14:58.720 --> 15:05.280]  Okay. So in practice, what this looks like is SSH minus capital L. I want to listen on my host
[15:05.280 --> 15:12.300]  on port 8080 on my laptop. I want that traffic when I go to port 8080 to go out the other side
[15:12.300 --> 15:18.340]  to 192.168.1.10 on port 80. So say there's a web server on that system that I'm trying to get
[15:18.340 --> 15:27.460]  access to. And then I'm logging in as Bob to that, that bounce node, 10.10.10.10, 10.10.10.10.
[15:27.460 --> 15:33.580]  Different IP addresses. Um, and then interestingly here, I'm going to give it minus N. So that tells
[15:33.580 --> 15:39.500]  it not to request a shell. And then I'm going to background it. What that does is now I have 8080
[15:39.500 --> 15:44.860]  listening. I can now go onto my next command. I didn't request a shell on the remote system.
[15:44.860 --> 15:49.660]  So once again, if there's a defender watching that system and trying to see like run a who
[15:50.140 --> 15:55.640]  or see who's logged into it, all they'll actually see is that there's an SSH D process. It doesn't
[15:55.640 --> 16:00.080]  actually spawn a shell or anything. And then if they're really on the ball, they'll look at net
[16:00.080 --> 16:03.900]  stat and see the network connection. But most of the time they just won't realize that there's
[16:03.900 --> 16:09.440]  somebody logged in. And then, uh, like I said, that's backgrounded. So on my local system now
[16:09.440 --> 16:15.960]  I can point curl at local host on port 8080. And so there's a HTTP server there that happens to
[16:15.960 --> 16:22.020]  be serving a file called secret that I need to get. And I, I get it and it looks like I won.
[16:24.920 --> 16:31.280]  Uh, that's super fun and all being able to do a local forward, but I don't want to do that one
[16:31.280 --> 16:36.880]  by one by one through all of these systems on this network. Uh, thankfully SSH was nice enough
[16:36.880 --> 16:43.760]  to think of the, this, the, the kind developers of open SSH. They implemented this thing called
[16:43.760 --> 16:51.100]  dynamic port forwarding. So what this does is this lets me open up on my system, a port that will
[16:51.100 --> 16:59.360]  forward over that SSH tunnel, uh, either SOCKS4 or SOCKS5 proxy. And then I'm essentially using
[16:59.360 --> 17:04.920]  that SSH server as a proxy server. And I can get to any of the systems behind that network,
[17:04.920 --> 17:12.660]  as long as whatever I'm using speaks that SSH protocol. So if I point my, if I use this proxy
[17:12.660 --> 17:18.960]  port, then I can get proxy that through this system and just get to any of the systems that
[17:18.960 --> 17:23.440]  are behind here in the way this kind of basic network example is laid out.
[17:24.640 --> 17:31.220]  Uh, and, um, kind of counterintuitively here, it's actually easier to do this than the just
[17:31.220 --> 17:37.580]  singular local forward. So at least on the SSH side. So, um, all I'm doing here is minus capital
[17:37.580 --> 17:44.780]  D for dynamic and that does a dynamic forward. I'm telling it port 1080, just common SOCKS port.
[17:44.780 --> 17:53.160]  Um, and then same thing, Bob at 10.10.10.10. I think I got that right this time. Uh, and
[17:53.160 --> 17:59.780]  super nice and easy. Once I run that command, I've successfully logged in. I now have a proxy
[17:59.780 --> 18:06.660]  server. I've turned that SSH system into a proxy server. So what I can do with that is I can point
[18:06.900 --> 18:11.980]  a web browser at that proxy server. So for instance, here, Firefox, uh, some Firefox,
[18:11.980 --> 18:18.300]  go preferences, network settings, manual, manual proxy conf here, and then, or click the manual
[18:18.300 --> 18:24.900]  proxy conf button and then do, um, SOCKS host. And here I've picked SOCKS five, and then I just
[18:24.900 --> 18:29.620]  tell it my port 1080. Now, anything my browser tries to go to is going to forward over that
[18:29.620 --> 18:36.740]  SOCKS proxy and come out in that other network. Um, additionally, you can use, I like to use proxy
[18:36.740 --> 18:40.780]  chains. There's actually a couple of different tools to do this, but proxy chains is the one
[18:40.780 --> 18:46.980]  that I know how to use. So it's pretty easy for me is, um, you can use proxy chains here and you
[18:46.980 --> 18:53.920]  just configure it to tell it where the proxy host is. And then, um, you use the command proxy chains
[18:53.920 --> 19:01.880]  here. I'm just going to drop in a bash and what proxy chains does is it hijacks the, um, the libc
[19:01.880 --> 19:09.280]  calls to socket, uh, operations, and then forwards them over that, uh, for TCP operations, forwards
[19:09.280 --> 19:13.280]  them over that SOCKS protocol, speaks the SOCKS protocol, and then forwards the traffic gomer.
[19:13.340 --> 19:19.140]  So anything in that bash session gets forwarded over that proxy. You can do one-off commands,
[19:19.140 --> 19:24.040]  but I like to drop in a bash here a lot because you can do curl and a bunch of other, um,
[19:24.040 --> 19:29.100]  nmap and netcat and all that kind of stuff. You have to use the right options because nmap needs
[19:29.100 --> 19:34.880]  to be on layer two sometimes, but, um, depending on how you're trying to scan, but for TCP scans,
[19:34.880 --> 19:43.480]  uh, super useful. Uh, and so you've essentially just used that SSH host to bounce, uh, into that
[19:43.480 --> 19:49.120]  network that you probably didn't have access to necessarily, but thankfully just to thank,
[19:49.520 --> 19:52.640]  thankfully you got access to that one SSH host and you got in.
[19:54.800 --> 19:59.940]  Um, the next way you can port forward is kind of the opposite of the local forward,
[19:59.940 --> 20:06.980]  which is the remote forward. So say I am sitting on my laptop and I would like a port on that SSH
[20:06.980 --> 20:16.220]  server to open up and forward that port back to my system. So I'll do this with SSH a lot to get
[20:16.220 --> 20:21.940]  from a system out to the network and then be able to do all of that same forwarding and tunneling
[20:21.940 --> 20:28.940]  and stuff just in the opposite way. So say I'm actually on, I'd have to be, I have to be on both
[20:28.940 --> 20:34.560]  systems in this scenario. So I'm on my laptop and then I also have access to this system in the
[20:34.560 --> 20:38.920]  network and I'm, say I'm trying to exfil some data or something. I can't get out because they're
[20:38.920 --> 20:44.460]  blocking the internet, but I have access to this and I have access to my laptop. So what I do is
[20:44.460 --> 20:50.200]  I SSH and I set up a remote forward from here that says, Hey, listen on two, two, two, two here
[20:50.200 --> 21:00.040]  and forward that back to me on port 22, which is SSH. Then from this system, I can just use any of
[21:00.040 --> 21:06.500]  those SSH commands provided I have the SSH command line and I can do stuff like copy files to here,
[21:06.500 --> 21:11.880]  but it's really forwarding to here. So anyone looking at the network traffic, nothing's actually
[21:11.880 --> 21:17.680]  going out over the firewall or anything. It's just traffic going to here. And then there's a secure
[21:18.360 --> 21:26.560]  connection to here from, from the bounce host to my laptop. So nothing actually, unless you're
[21:26.560 --> 21:30.840]  really on the ball, looks like it's coming from this to my laptop. It's routing through this other
[21:30.840 --> 21:40.640]  system. So what that looks like here is you use the dash R command for remote. I'm going to tell
[21:40.640 --> 21:46.460]  it what port to listen on and I'm going to tell it the host port that I want it to, or the host
[21:46.460 --> 21:53.480]  that I want it to listen on. And then the host port that I want it to forward to. So I say,
[21:53.480 --> 22:01.700]  listen on 2222, open that up on any. So 0.0.0.0 is the any address. And then forward that traffic
[22:01.700 --> 22:09.000]  back to me on port 22. I log in as Bob to that 10.10.10.10. I do minus N again, because I don't
[22:09.000 --> 22:15.880]  want to actually get a shell here. Importantly, to be able to do this, listen on 0.0.0.0,
[22:15.880 --> 22:24.460]  the SSH server that I'm logging into. So this guy 10.10.10.10 has to have gateway ports enabled,
[22:24.460 --> 22:29.120]  or else you won't be able to do this by default. Luckily, it's a pretty easy change. You just
[22:29.120 --> 22:35.480]  update Etsy SSHD config. We'll look at config stuff a little bit later, but you can just change
[22:35.480 --> 22:40.860]  this. It is no by default, but you just change it to yes. And then you restart SSH. Your connection
[22:40.860 --> 22:47.740]  stays alive, everything keeps working, and then you can do this. And then from that system that's
[22:47.740 --> 22:55.100]  inside the network that can't get out, I SSH to the 10.10.10.10 on port 22. So this minus P
[22:55.100 --> 23:01.640]  tells it to go different than the default port. I log in. I can either log in or I can copy files
[23:01.640 --> 23:08.420]  or do whatever I want. Important thing to point out is if I'm on a system that I don't control,
[23:08.420 --> 23:16.240]  oops, if I'm on a system that I don't control and I SSH into my system, I am potentially giving
[23:16.240 --> 23:22.700]  up credentials or a password or something to my system. So be careful with this. Make sure that
[23:22.700 --> 23:27.180]  this system, this user that they're logging into is something that they they're not too worried
[23:27.180 --> 23:31.060]  about and that that user is locked down and that they can get everything or you're kind of letting
[23:31.060 --> 23:36.240]  them into your system and getting hacked yourself and you do not want to be that person.
[23:39.460 --> 23:45.800]  So that's cool, but it's a lot to type. Say I want to do this same scenario where I have a tunnel
[23:45.800 --> 23:52.120]  and I want to log into that. I want to log in through my jump box or my bounce node. I want to
[23:52.120 --> 23:58.380]  land over here. So I would have to SSH to here, do a port forward to tell it to go over here,
[23:58.380 --> 24:03.120]  and then SSH to that port forward and go over here. And that's a lot of work and I'm a lazy
[24:03.120 --> 24:09.020]  hacker. I don't want to do that. Thankfully, the people that implement SSH are not lazy. So they
[24:09.020 --> 24:15.160]  think of all of these things and have it done ahead of time. SSH has this cool option called
[24:15.400 --> 24:21.020]  a proxy command. The proxy command is the old way to do this and they've actually since implemented
[24:21.240 --> 24:25.460]  a new version. But proxy command is still super useful and we'll see another use of this in just
[24:25.600 --> 24:31.580]  a second. But what you do is you say minus O is option. You say proxy command. I want my proxy
[24:31.580 --> 24:38.060]  command to be SSHing to that remote system again. And then here percent H and percent P get replaced
[24:38.060 --> 24:42.260]  with the system that you're trying to log into. So it would be a remote and the port.
[24:46.460 --> 24:51.340]  Like I said, this is kind of the old way to do it. The SSH developers were nice enough to realize
[24:51.340 --> 24:57.340]  that this is also a lot to type. So they made this thing called proxy jump, which you can do minus J
[24:58.380 --> 25:04.160]  and tell it, Bob, this is essentially doing the same thing as this. And then you're just logged
[25:04.160 --> 25:12.040]  in and like we saw, you now have this set up where you're actually SSHing through this system to here.
[25:12.040 --> 25:19.720]  Anybody monitoring this boundary for access to this system won't actually see that because you're
[25:19.720 --> 25:25.000]  actually going through here and to here. You're not going straight to it. So that is a pretty
[25:25.000 --> 25:30.780]  useful way to get around some kind of common network monitoring and popping through some
[25:30.780 --> 25:36.020]  boundaries. You can actually do some really cool stuff with this where you set up like different
[25:36.020 --> 25:43.180]  jump boxes and have them go through different layers and it starts to get pretty fun. You can
[25:43.180 --> 25:48.520]  do some pretty crazy stuff. So like I said, though, that proxy command is super interesting
[25:48.520 --> 25:54.900]  and shout out to SubT for kind of prompting me to look at this. Here, I'm actually using a proxy
[25:54.900 --> 26:05.080]  command to configure my SSH to use an HTTP proxy to get to wherever I'm trying to go.
[26:07.280 --> 26:13.760]  So I'll say that again. I'm using a proxy command to use an HTTP proxy to get to where I'm trying
[26:13.760 --> 26:20.880]  to go. So anybody looking at this traffic is going to see a connection to an HTTP proxy and not even
[26:20.880 --> 26:26.720]  realize that I'm SSHing through that proxy out to the other side. This is super useful when you're
[26:26.720 --> 26:32.200]  in a network that's very locked down and is only letting certain things through and you have to
[26:32.200 --> 26:45.760]  use an HTTP proxy to get out. Or if you just want to blend in. Another thing that is very useful
[26:45.760 --> 26:49.900]  here is so now I have all of these tunnels and this forwarding and all of this cool stuff that
[26:49.900 --> 26:54.960]  I want to set up but SSH is a TCP protocol. So if anything happens in this connection,
[26:54.960 --> 27:00.660]  any of the routers or something timeout, something weird happens, that connection will die. Maybe I
[27:00.660 --> 27:05.920]  want this tunnel to be set up really long-lived and how I accomplish this is with a command
[27:05.920 --> 27:12.940]  called auto SSH. And what I like to do with this is I will set up auto SSH to log into my laptop
[27:12.940 --> 27:22.960]  and forward port 2222 on my laptop back to the host. So I apologize the arrow is backwards here.
[27:22.960 --> 27:30.920]  But it would actually forward from 2222 back to my host on 22 and funnel that traffic. So I connect
[27:30.920 --> 27:38.800]  here and it goes out here. So there's an auto SSH connection out. It sets up that remote port forward
[27:38.800 --> 27:44.740]  to come back. And if that connection dies, auto SSH will restart it for me, monitor that process
[27:44.740 --> 27:49.420]  and restart it for me. That effectively lets me maintain access to this and I don't have to do
[27:49.420 --> 27:58.280]  anything once it's set up. And what that looks like is you use the auto SSH command. It's just
[27:58.440 --> 28:04.020]  a tool that you can install. I'm giving it some options here, the server alive interval,
[28:04.020 --> 28:09.780]  server alive max count. So this will wait 30 seconds and it will max try three times.
[28:09.960 --> 28:17.800]  And then I'm telling it to remote forward on 2222 to port 22 on my local host. And then I log into
[28:17.800 --> 28:27.080]  my laptop, aka Hackbox. And then on Hackbox, I can SSH minus P to 2222 and tell it, Bob,
[28:27.080 --> 28:30.840]  because that's the user that I have at local host. And that's actually going to go through that
[28:30.840 --> 28:35.260]  tunnel back in through the network. And then I'm just logged into that victim system.
[28:36.360 --> 28:42.200]  Once again, this is super cool, because like all someone monitoring this network would see
[28:42.200 --> 28:49.560]  is someone logging into a system remotely. So say you're here, this boundary is monitored,
[28:49.560 --> 28:55.880]  all you see is an SSH out, you don't actually see me tunneling back in. So it looks like someone
[28:55.880 --> 29:01.240]  who already is logged into this just logged into something on the internet. And that is what
[29:01.240 --> 29:06.020]  happened. But then additionally, I'm logging back into that system here. So I actually have shell
[29:06.020 --> 29:16.240]  access that they might not be wanting me to have. So a bunch of fun stuff you can do with port
[29:16.240 --> 29:22.500]  forwarding, super useful for kind of crossing those security boundaries and getting into networks that
[29:22.500 --> 29:29.600]  you're not necessarily supposed to have access to. With auto SSH, you can maintain that access.
[29:30.200 --> 29:34.660]  And to get creative with it, you can jump around and get to a bunch of different network segments
[29:34.660 --> 29:39.720]  and really make it confusing. With all the port forwarding, you can make it look like someone's
[29:39.720 --> 29:43.900]  connecting from a different system as long as you have access to connect all through. So someone
[29:43.900 --> 29:48.980]  that's trying to trace that back through network logs, or system logs, it's going to have a rough
[29:48.980 --> 29:53.840]  time because you're essentially using a proxy to get through a bunch of stuff. And you can proxy,
[29:53.840 --> 30:04.620]  proxy, proxy and jump around and good clean fun to be had by all. So configuration. So what we're
[30:04.620 --> 30:09.900]  going to talk about here is a bunch of different ways that you can configure SSH to do things that
[30:09.900 --> 30:14.680]  are kind of unexpected, or just interesting configurations that are useful, kind of in
[30:14.680 --> 30:21.140]  operations or in the in the process of doing things. First up, I want to point out that we
[30:21.140 --> 30:28.140]  have these escape sequences. So if I've SSH into a system, and I have an interactive shell,
[30:28.140 --> 30:35.020]  SSH actually has this kind of hidden shell that you send a special character sequence,
[30:35.020 --> 30:40.080]  it's like a cheat code almost. And it gives me all of this functionality. So what I did here is
[30:40.080 --> 30:44.840]  my prompt, I did new line tilde question mark, just in quick succession without anything else
[30:44.840 --> 30:53.040]  going on. And that's showing me the help for this escape sequence prompt. Probably the most useful,
[30:53.040 --> 30:58.800]  the ones I use all the time, is the terminate connection. So if something messes up with that
[30:58.800 --> 31:04.320]  SSH session, and my term, my shell is hung, and I can't get it to work anymore, instead of having to
[31:04.320 --> 31:09.460]  drop into another prompt and find the SSH process and kill it, you can just do this tilde, new line
[31:09.460 --> 31:15.900]  tilde dot and it kills the kills the SSH session. Also super useful if your friends let you sit at
[31:16.020 --> 31:25.260]  a prompt for their SSH and you want to mess with them. Just do that real quick. The other one that
[31:25.260 --> 31:37.860]  is super useful here is the background, or sorry, the command line. And that's the capital C. So
[31:38.460 --> 31:43.480]  why is this useful? You already saw you can just do this with the command line, right? You can SSH
[31:43.480 --> 31:48.960]  minus L and open up the port, or minus R and open up the port and all that kind of stuff.
[31:50.100 --> 31:58.320]  So this is one of those things that's really useful, but not very often. So the most use I
[31:58.320 --> 32:04.180]  have out of this is when I have access to SSH on a system, someone's actively trying to defend it,
[32:04.180 --> 32:09.960]  and they've changed the password on me, or gotten rid of my SSH key that we'll see here in a minute,
[32:10.400 --> 32:17.300]  or whatever. I can't log back into that prompt, or that SSH session. So I can't log out to port
[32:17.300 --> 32:20.880]  forward, but I want to port forward through that because I still have access and they haven't
[32:20.880 --> 32:25.420]  noticed that my actual shell exists. They just noticed that the account was compromised.
[32:25.520 --> 32:30.200]  So I can still scan the network and do a bunch of stuff from there. I just need to be able to
[32:30.200 --> 32:36.320]  change some of the port configs and I can't log out and log back in. That is when this is the most
[32:36.320 --> 32:45.540]  useful. So just like all of the other commands, minus L, minus R, minus D, lets you set up all
[32:45.540 --> 32:52.780]  of those port forwards. And then it's minus KL to cancel them or kill them.
[32:54.900 --> 32:59.060]  Once again, super useful, kind of keep it in your back pocket. It's not
[33:00.160 --> 33:05.240]  really common that I run into this, but when I have needed this, it was invaluable.
[33:07.000 --> 33:13.860]  So I talked a little bit about authorized key there. So one of the things you can do with SSH is
[33:15.680 --> 33:20.800]  trying to log in and put your username and your password all the time isn't very much fun. It's
[33:20.800 --> 33:26.700]  kind of insecure. We'll see a little bit later why that is pretty insecure. So SSH came up with
[33:26.700 --> 33:36.240]  this concept of an authorized key. So this is just public key cryptography. I generate a public
[33:36.240 --> 33:41.640]  private key pair. I put the public key on the remote system that I want to log into in a
[33:41.640 --> 33:46.000]  configuration file and say anyone that has the private key for this public key is allowed to log
[33:46.000 --> 33:52.760]  in. So this is very, very useful when you run into SSH for a couple of different things.
[33:53.120 --> 34:00.320]  One is if you can get access to someone's private key, you can log into any of the systems as them
[34:00.320 --> 34:07.760]  that they log into. Because of that, you actually generally, you're prompted to put a password in
[34:07.760 --> 34:13.040]  to password protect that private key. So when you try to use it, you have to decrypt the private
[34:13.040 --> 34:20.240]  key before you can use it. Most of the time or still a lot of the time, sadly, people that are
[34:20.240 --> 34:26.060]  generating these keys just hit enter twice and then you get an SSH or a private key that is not
[34:26.060 --> 34:31.820]  protected. And by sadly, I mean awesomely because it's great and you find this all the time.
[34:33.800 --> 34:41.700]  So where that file is stored is generally there's two places. SSH is either or the SSH stuff is
[34:41.700 --> 34:47.100]  either in Etsy SSH, which is the global configuration, or here where we're looking
[34:47.100 --> 34:51.870]  at it in the user's configuration, which is the dot SSH folder in their home directory.
[34:52.840 --> 34:59.500]  So here specifically, this is in Roots home directory. We've generated a key pair. The
[34:59.820 --> 35:06.120]  default for the RSA keys is just ID under RSA. And then you'll have ID under RSA.pub.
[35:06.120 --> 35:15.580]  If you copy that ID under RSA.pub to the dot SSH authorized keys file for any user,
[35:17.340 --> 35:21.580]  you can log in to that user account without a password.
[35:22.660 --> 35:29.160]  So this is also super useful in the case where I land on a system and I don't know the user's
[35:29.160 --> 35:35.140]  password, so I can't change their password. But I'd like to be able to SSH in as them.
[35:35.140 --> 35:42.620]  I can add this key and then I can SSH into that account as them and have a full PTY shell that
[35:42.620 --> 35:46.720]  lets me do all of the things you would do with a full PTY shell, edit files, run sudo,
[35:46.720 --> 35:53.080]  all that kind of stuff. And essentially, this lets you maintain access. I don't need to know
[35:53.080 --> 35:58.980]  the user's password as long as that file exists. So this is also super useful for
[35:59.420 --> 36:06.520]  um like hack the box style challenges where you get a web shell or just if you have a web shell
[36:06.520 --> 36:13.820]  as a user and you want to upgrade to that user level access. If you have the ability to write
[36:13.820 --> 36:20.160]  to this file, then you just add an SSH key in here and you can log in. SSH by default will
[36:20.720 --> 36:27.240]  check the permissions of that file and not use it if they aren't correct, but sometimes it is
[36:27.240 --> 36:33.280]  configured to not do that. So it's always worth checking. Kind of the meta here is it's always
[36:33.280 --> 36:38.440]  worth looking in the SSH folder because there is a bunch of different stuff and we'll see more of
[36:38.440 --> 36:46.540]  that here coming up. So next is the known hosts file. So this file is a list of all of the systems
[36:46.540 --> 36:52.860]  that a user is logged into. For anybody familiar with SSH, when you SSH out to a system the first
[36:52.860 --> 36:57.660]  time, it'll say, hey, I don't recognize this system. This is the public key. Do you accept
[36:57.660 --> 37:04.700]  this? When you do that, it saves that into this file called the known hosts. That known hosts
[37:04.700 --> 37:10.160]  file will have one entry per line and then it has the IP address or the host name and then the
[37:10.160 --> 37:16.500]  public key information. So this is super useful. If I can see this and I'm the user, say I now
[37:16.500 --> 37:22.460]  have access to their unencrypted private key and then I also have access to all of the IP addresses
[37:22.460 --> 37:27.940]  that they're logging into, a pretty easy way to pivot around the network and find other systems
[37:27.940 --> 37:39.620]  that I have access to. The next file here that is super interesting is the SSH config. So all
[37:39.620 --> 37:43.920]  that stuff that we've been going over, all of the port forwards, all of the different things
[37:43.920 --> 37:50.580]  are super great, but typing all of that's horrible and I'm a lazy hacker. And once again, the SSH
[37:50.580 --> 37:56.220]  developers, they know that, I guess, and they came up with a solution for it. So that's this
[37:56.220 --> 38:04.020]  SSH config. Like all, most of the other SSH stuff, the default or the kind of system-wide
[38:04.020 --> 38:09.580]  configuration is an Etsy SSH and then the user configuration is in .ssh in the user's home
[38:09.580 --> 38:18.520]  directory. That config file looks like this. So here someone has set up a host called bounce.
[38:18.520 --> 38:24.340]  The username is bob. They're logging into 10.10.10.10. They would like to do a local forward
[38:24.340 --> 38:32.680]  of port 8080 to 192.168.1.10.80. They're going to do a dynamic forward for 1080 and they're going to
[38:32.680 --> 38:41.760]  do a remote forward for 8080 on 192.168.1.10.80. On the command line, you can just do ssh bounce
[38:41.760 --> 38:47.300]  and then all of those configs will get set in the command line. You don't have to do anything at all
[38:47.300 --> 38:52.500]  anymore. It's just ssh bounce. It'll tab complete if you have bash completion. Super awesome.
[38:54.280 --> 38:58.840]  When you land on a system, if you have access to this config file, this is another way to find
[38:58.840 --> 39:02.220]  systems that people are logging into because they'll have a bunch of configs like this
[39:02.220 --> 39:08.820]  for easy mode accessing the systems that they access. And you can see, okay, so this bob guy
[39:08.820 --> 39:14.120]  has access to 10.10.10.10 and likes to check out these other systems on these ports. So
[39:14.120 --> 39:21.460]  something I can try to do. Another fun thing you can do with ssh config is get it to do
[39:21.460 --> 39:29.660]  stuff that people are not intending. So let's say in this scenario, I know that bob is sshing
[39:29.660 --> 39:35.080]  from the server that he's on 10.10.10.10 to that system that he has internally.
[39:35.680 --> 39:43.120]  Every time he does that, I would like to get a shell back to me on 41.41 from his system.
[39:45.520 --> 39:51.960]  With ssh config, I can do that. So here, I configure it, say I'm on his server for some
[39:51.960 --> 39:57.020]  reason. I have access to his ssh config. I'm going to go ahead and I like to set this up for all
[39:57.020 --> 40:04.280]  hosts. By default, you're not permitted to run a local command, but luckily in the config file,
[40:04.280 --> 40:09.660]  you can just tell it to let you do that. And what I'm going to do here is tell it the local
[40:09.660 --> 40:17.920]  command is to netcat me a bin bash shell to my IP address on my listener and background and then do
[40:17.920 --> 40:25.340]  whatever else bob was trying to do. So every time bob logs into a host, it will spin a shell back
[40:25.340 --> 40:32.560]  to me and I'll get access to his system. So say my shells keep dying or I just want to kind of
[40:32.560 --> 40:41.660]  maintain access in a super easy way. Another config file that is super awesome is this
[40:41.660 --> 40:49.660]  run commands file or RC file. This similarly has the Etsy version or the user version,
[40:49.660 --> 40:55.300]  but what this does is this runs a command when the user's logging in right before it drops them
[40:55.300 --> 41:03.460]  to a shell. So back to our scenario, say I'm actually on this this far system and now I want
[41:03.580 --> 41:09.440]  a shell to come back to me every time somebody logs in. So when somebody logs into this system,
[41:09.440 --> 41:17.580]  it sends me a shell. What that looks like here is I just put this simple netcat listener just
[41:17.580 --> 41:23.200]  like the other one roughly in this. I say netcat spit a shell back to me on my listener IP address
[41:23.200 --> 41:30.320]  on port 4141 and then background and go ahead and keep doing whatever it is that people want to do.
[41:30.660 --> 41:36.620]  So I encourage people to look at the config files. There's a ton more things you can do in there.
[41:36.620 --> 41:40.860]  These are kind of simplified versions for slides and to demonstrate the purposes.
[41:41.240 --> 41:46.420]  With the config files and the port forwarding, you can really get yourself into some pretty
[41:46.420 --> 41:56.940]  scenarios with that jump proxy command or proxy jumper command or config option. And then also
[41:56.940 --> 42:03.420]  it goes in the config file. With those, you can set up really intricate port forwards and get
[42:03.420 --> 42:07.240]  through all sorts of different interesting things. And like I was saying before, really kind of run
[42:07.240 --> 42:14.720]  havoc on networks and for someone trying to trace stuff back. Now let's look at a couple different
[42:14.720 --> 42:22.100]  ways that I've successfully gotten creds out of SSH. The first one being, say I'm on a system
[42:22.100 --> 42:28.260]  and I know someone is logging into other systems. I see their SSH config, but I don't have their
[42:28.260 --> 42:32.060]  private key. They're not even using private keys. I just know they're using passwords.
[42:32.300 --> 42:36.400]  So I want to be able to get to that system that they're getting to, but I need to get that
[42:36.400 --> 42:43.100]  somehow. So a thing I like to do is I set, I create a little shell script here that's in their path
[42:43.100 --> 42:50.400]  before the normal SSH command. So the SSH command by default is in user bin SSH.
[42:50.440 --> 42:56.900]  Here I'm making a shell script called user local bin SSH that prompts the user for a password again
[42:56.900 --> 43:04.800]  and then writes that password to a temp file and then just SSHs for them. So what that looks like,
[43:04.800 --> 43:10.120]  and I'm sure people that are used to SSH, is you SSH out, it asks you for your password,
[43:10.120 --> 43:14.800]  you typoed it, it just asks you for your password again, you typed it right, you're good to go,
[43:14.800 --> 43:19.980]  and then eventually you exit. And you can see here that in temp.creds, I've now stolen that
[43:19.980 --> 43:26.300]  super secret password and I have Bob's password of 192.168.1.10. I'm able to pivot and kind of
[43:26.300 --> 43:34.000]  be on to the next thing. Additionally, so let's say the other way is true. Someone's SSHing into
[43:34.140 --> 43:41.600]  a server that I have access to and I want to see what their password is. Here I use the debug tool
[43:41.600 --> 43:47.340]  called strace which just looks for all of the system calls that happen in the binary. So I find
[43:47.340 --> 43:56.040]  the SSH process, I attach strace to that SSHD process, and I tell it to just show me the reads
[43:56.040 --> 44:02.140]  because I know just I know how the SSH daemon works. I know that when you connect into it,
[44:02.140 --> 44:07.680]  it sends you a prompt and then reads your password from you. So here I'm telling it to just
[44:08.220 --> 44:12.600]  show me all of the reads. There are a lot of reads, so I've gone ahead and grepped them for
[44:12.600 --> 44:16.740]  this magic string that happens right before the password just as part of the protocol.
[44:16.740 --> 44:21.940]  And here you can see I've stolen this password of super secret from someone when they're logging
[44:21.940 --> 44:34.880]  into the SSH. Another really fun one here is using this paramiko to create your own SSH server.
[44:35.020 --> 44:41.100]  So this is kind of the most basic example of this that I can show and make it actually fit in a
[44:41.100 --> 44:49.740]  slide and be useful. But the idea here is say I'm on a server and it's not running SSH but I know
[44:49.740 --> 44:56.800]  someone is trying to log in. I need to speak enough of the SSH protocol to get them to give
[44:56.800 --> 45:02.240]  me their password. But I don't necessarily want to let them log in because I don't know what they're
[45:02.240 --> 45:08.840]  trying to do and I don't want to implement the entirety of all of SSH. So let's kind of run
[45:08.840 --> 45:14.580]  through this Python code a little bit. What I'm going to do here is for this line here I'm
[45:14.580 --> 45:20.880]  going to go ahead and grab the TCP socket or create a TCP socket. I'm going to bind on 22.
[45:20.880 --> 45:26.600]  So this means I have to have access to open those non-ephemeral ports. I'm going to listen for one
[45:26.600 --> 45:33.540]  connection and then accept for that connection. So once I've got a connection I let myself know
[45:33.540 --> 45:40.620]  hey someone from this adder has connected to me. Then I'm going to take advantage of paramiko and
[45:41.260 --> 45:49.820]  they call it transport in the paramiko implementation. With that transport I'm
[45:49.820 --> 45:58.040]  going to go ahead and add a server with the paramiko RSA key. So I have just a test key.
[45:58.040 --> 46:02.540]  So like I said before when you SSH out and it says I don't recognize this here's the public
[46:02.540 --> 46:07.820]  key this is going to be that key that it gives them. This is one chance that they could detect
[46:07.820 --> 46:12.160]  so if they're trying to SSH in and it's a key that they don't recognize you should just say
[46:12.160 --> 46:18.260]  no unless you know that there's a key that you should be seeing. But most people just say yes
[46:18.260 --> 46:21.520]  because they assume it's a server they haven't seen. And then I'm going to go ahead and start
[46:21.520 --> 46:29.060]  it with my server and tell it to just serve and then accept the connection. So what this looks
[46:29.060 --> 46:35.940]  like here is this now uses my server they connect in they get the SSH protocol does its negotiation
[46:35.940 --> 46:40.200]  and says the only thing I can do is password authentication. So they'll get a password
[46:40.200 --> 46:44.440]  prompt from the client because it knows how to speak enough of the protocol and then they'll
[46:44.440 --> 46:51.260]  send me the username and password to my SSH server and that the paramiko server will call
[46:51.260 --> 46:56.720]  this check auth with the username and password that it got. I can say hey cool check it out I
[46:56.720 --> 47:02.520]  got a username and password and then tell it uh no that's not a valid username and password. So
[47:02.520 --> 47:08.100]  from the user's point of view they tried to SSH in the SSH failed they don't know why it is they
[47:08.100 --> 47:12.540]  don't know what this box is anyway it's not supposed to be on the network so kind of ignore
[47:12.540 --> 47:16.460]  this spawn a connect back shell that's not what's actually happening I'm actually starting an SSH
[47:16.460 --> 47:26.180]  server here so start my super secret awesome SSH server just with Python it tells me hey I got a
[47:47.100 --> 47:54.840]  So, that is kind of an intro and some a little bit deeper but not super crazy deep dive into
[47:54.840 --> 48:02.700]  all of the cool, not all of, but a bunch of the cool things you can do with SSH. You saw that
[48:02.700 --> 48:08.380]  just by default it gives you remote shell access, lets you do port forwarding, you can download
[48:08.380 --> 48:15.340]  upload files, it's all encrypted. That port forwarding, you can use that to accomplish
[48:15.860 --> 48:20.620]  almost any sort of hopping that you need to be able to do around network segmentation. So,
[48:20.620 --> 48:27.340]  if you can get to port 22 and you have some sort of credential material to log into that port 22,
[48:27.340 --> 48:34.760]  you can do quite a bit inside a network. You can get access to systems you're not necessarily
[48:34.760 --> 48:40.640]  supposed to have access to. You can get around network protections that are trying to block you
[48:40.640 --> 48:46.820]  from doing things. You can mask your traffic in different protocols via proxies. You can make
[48:46.820 --> 48:52.120]  traffic look like it's coming from different systems via proxies. With all of the configuration
[48:52.120 --> 48:56.640]  options you saw, you can trick the system into doing things or really trick users into doing
[48:56.640 --> 49:03.260]  things that you're not expecting. Different ways you can run SSH commands such that it's harder to
[49:03.260 --> 49:13.660]  trace or see that information on the system. And download, upload, exfill all of the data.
[49:13.660 --> 49:19.980]  Really, the cool thing about this is you can use all of these SSH options. These are the basic ones.
[49:19.980 --> 49:24.340]  You can combine all of this to make yourself the craziest network map that you want.
[49:24.340 --> 49:30.040]  Pivot through all of the different things. SSH is becoming more and more ubiquitous across
[49:30.040 --> 49:37.680]  environments. It's now coming on Windows 10. You have WSL. It's very, very, very useful.
[49:38.300 --> 49:45.840]  So, I hope that was helpful. I hope it made you think a time or two about SSH and what you can do
[49:45.840 --> 49:51.680]  with it and all that kind of stuff. I hope to stay connected with everybody. Randori Attack
[49:51.680 --> 49:59.900]  is my team's Twitter. We are kind of always hiring someone at somewhere. So, hit up our careers
[50:00.860 --> 50:08.820]  off of our webpage. And then, if you're into information like this, follow our blog.
[50:09.160 --> 50:16.400]  Randori TTPs are tips, tricks, and POCs. Check that out for lots of information like this.
[50:17.500 --> 50:24.120]  And then, lastly, I'm pretty passionate about this. We need to make sure that we're taking
[50:24.120 --> 50:28.600]  care of ourselves. And popping all these shells is awesome. Maintaining all of this access is
[50:28.600 --> 50:34.880]  super great. But we also need to make sure that we're taking the time to get away and keeping
[50:34.880 --> 50:40.120]  ourselves fit. So, hashtag Red Team Fit. Check us out on Twitter. There's a bunch of discords
[50:40.120 --> 50:46.060]  all over the place. And we've got a bunch of groups and doing all sorts of really awesome stuff.
[50:46.060 --> 50:53.400]  And that's what I got. Thanks, everybody. Hashtag Red Team Fit.
